This folder contains proof transcripts that demonstrate a
flaw in the decryption proof method implemented in the
SwissVote-Scytl mixnet. It was generated by Sarah Jamie Lewis, Olivier
Pereira and Vanessa Teague, using techniques described in our report.
It is completely distinct from our earlier paper, which described
trapdoors in the shuffle mechanism. Even if that issue were corrected,
this problem would remain.
In order to verify the proof transcripts, you will need to have a running
copy of the Swisspost-Scytl voting system.
Copy the function deserializeProofFromJSONAndCheckOk() from
DecryptionProofTest_Insert.java into
/scytl-cryptolib/cryptolib-proofs/src/test/java/com/scytl/cryptolib/proofs/service/DecryptionProofTest.java
and run it.
You can see two different cheating decryption proofs hardcoded into the
function. The first one contains a nonsense value, which it proves to decrypt to 7.
The second one contains a 3, but proves that it decrypts to a nonsense value.
When you run the function, you should get the following output:
Verifying Proof 1
Claimed plaintext = ZpGroupElement [_value=7, _p=15294034768093677312256663166625633354362303, _q=7647017384046838656128331583312816677181151]
True decryption = [ZpGroupElement [_value=12209177965119662820522312937377420599612363, _p=15294034768093677312256663166625633354362303, _q=7647017384046838656128331583312816677181151]]
Proof verified.
Verifying Proof 2
Claimed plaintext = ZpGroupElement [_value=2750132861347711778626352267580572009032361, _p=15294034768093677312256663166625633354362303, _q=7647017384046838656128331583312816677181151]
True decryption = [ZpGroupElement [_value=3, _p=15294034768093677312256663166625633354362303, _q=7647017384046838656128331583312816677181151]]
Proof verified.
Sarah Jamie Lewis
a8fd818dd7